Skip to content

CyFI-Lab-Public/MARSEA

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1,774 Commits

back_compatible

back_compatible

 
 

deploy

deploy

 
 

example

example

 
 

netskope/post

netskope/post

 
 

s2e_linux

s2e_linux

 
 

s2e_win

s2e_win

 
 

.gitignore

.gitignore

 
 

.gitmodules

.gitmodules

 
 

README.md

README.md

 
 

Repository files navigation

MARSEA

Hiding in Plain Sight: An Empirical Study of Web Application Abuse in Malware

Foreword

MARSEA is an extensible concolic analysis framework built on top of S2E. To gain a general understanding of how concolic analysis works, please read the S2E documentation.

Before working with MARSEA, please read the accompanying paper to gain a thorough understanding of the tool and its potential extensions.

Depolyment

For detailed deployment steps, refer to the README files for s2e_win and s2e_linux.

Example Usage (DEMO)

This repository includes a malware sample named Razy. This section demonstrates how to use MARSEA to analyze it.

  1. Copy your custom-hook.dll from the Windows machine to the s2e_template folder. For instructions on generating custom-hook.dll, refer to s2e_win.
  2. Unzip the Razy sample.
  3. Activate the S2E environment. For activation instructions, refer to s2e_linux. Since pipeline.py has dependency on tqdm, please install it by executing pip install tqdm.
  4. Start the pipeline to analyze the unzipped file by executing python pipeline.py -e [s2e_template] -s [sample_path] --run, where s2e_template points to the absolute path of the s2e_template folder on your system, and sample_path points to the absolute path of the unzipped sample.
  5. When the analysis is complete, you should see output similar to the following:
Analysis Done!
{'JS': {'twitter.com/pidoras6': ['WinHttpReadData',
                                 'StrStr',
                                 'WinHttpCrackUrl']},
 'FU': {'virustotal.com': ['WinHttpSendRequest']}}

The demo video can be found here

Output Explanation

The purpose of this section is to explain the output of this demo, which will help users verify the results generated by MARSEA.

  1. Users should locate the debug.txt file in $S2EDIR/projects/[sample_name]/s2e-last or its subfolders (if using MARSEA in multiprocessing mode).
  2. Users should find the line containing the keywords [W] WinHttpCrackUrl. In this line, there should be a print that looks like tag_in:CyFi_StrStrA, followed by a number (e.g., 5). This indicates that MARSEA found the argument passed to WinHttpCrackUrl originates from StrStrA.
  3. By searching backward using tag_out:CyFi_StrStrA5, users should locate the StrStrA function call.
  4. If that line also contains tag_in, users can use the new tag to repeat steps similar to step 3 until the information source is found.
  5. In this demo, users should be able to determine that the source of WinHttpCrackUrl is from WinHttpReadData, which is associated with the connection to twitter.com/pidoras6.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 19

+ 5 contributors

Languages